From cf773c9f1c21cd67fbb0475770b121d64bc5960f Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Mon, 25 Jul 2022 09:23:25 +0200 Subject: [PATCH] Bug 31219: Prevent JS injection in patron extended attributes We are sanitizing other attributes but "extended patron attributes". Test plan: Make a patron attribute editable at the OPAC Edit an existing patron, or register a new one Use a script tag in the new value ("" for instance) With this patch the value is remove if containing an HTML tag that is not br b i em big small strong (see C4::Scrubber) Signed-off-by: Mark Hofstetter Signed-off-by: Katrin Fischer Signed-off-by: Lucas Gass --- opac/opac-memberentry.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/opac/opac-memberentry.pl b/opac/opac-memberentry.pl index f456362c3a..e1a86e65b3 100755 --- a/opac/opac-memberentry.pl +++ b/opac/opac-memberentry.pl @@ -739,6 +739,7 @@ sub ParsePatronAttributes { my $delete_candidates = {}; + my $scrubber = C4::Scrubber->new(); while ( my ( $code, $value ) = $ea->() ) { if ( any { $_ eq $code } @editable_attribute_types ) { # It is an editable attribute @@ -748,7 +749,7 @@ sub ParsePatronAttributes { } else { # we've got a value - push @attributes, { code => $code, attribute => $value }; + push @attributes, { code => $code, attribute => $scrubber->scrub( $value ) }; # 'code' is no longer a delete candidate delete $delete_candidates->{$code} -- 2.39.5